29 Jan Researchers Exploit Low Entropy of IoT Devices to Break RSA Certificates
The researchers didn’t break RSA encryption, but took advantage of how public and private keys are generated. The private key, which is kept secret by the owner, consists of two large, randomly chosen prime numbers, while the public key is the product of those two numbers.
The public key is associated with a certificate, which is a document signed with the trusted party’s private key. The certificate acts as proof that the given public key is associated with the private key and that the public key can be used to encrypt or validate data sent to or from the device. The security of the RSA certificate relies on the difficulty of factoring the prime factors that were randomly chosen to make the keys.
If the prime numbers used to generate a key are truly random, then it shouldn’t be computationally feasible to factor the resulting key, Kilgallin says. However, if the numbers aren’t sufficiently random, the keys can share the same factors, making it possible to calculate and derive the private keys.
The researchers scanned the entire Internet and found 75 million active RSA certificates. Of those certificates, more than 435,000 certificates shared “prime factors,” which translates to about one in every 172 RSA certificates in use on the Internet.
As a point of comparison, the team also pulled 100 million certificates from certificate transparency logs—generated by certificate authorities on powerful servers—and found just five certificates with shared factors.
While many of the certificates with shared factors detected in this research belonged to IoT and networking devices such as routers, it was sometimes difficult to tell how the device was being used and where it was located, Kilgallin says.
So why did some of these devices produce such similar keys?
What Is Entropy?
This is where the concept of entropy comes in. A computer constantly gathers entropy—signals and information that can’t be predicted—and uses that information to generate random numbers. When asked for a random number, the machine must have collected enough details to fundamentally alter its state from when it first booted up, or from the last time the machine was asked. If the machine’s state hasn’t changed that much, it’s more likely to re-generate the same number.
“This is about randomness, not breaking RSA,” says Ted Shorter, chief technology officer and co-founder of Keyfactor. “If things aren’t random, then the whole thing can fall over.”
Entropy can be affected by many things, such as inputs from the keyboard, mouse movement, fan speed, and how fast the hard disk drive is spinning. Windows machines can collect information from the motherboard’s Trusted Platform Module chip, Unified Extensible Firmware Interface (the interface connecting the computer’s firmware to the operating system), and the hardware system clock.
Embedded systems, like those used in IoT devices, have difficulty gathering entropy as they tend to have fewer components—no mouse or keyboards—and may be running stripped down operating systems. That means the machine state may not have changed enough to generate truly random numbers, says Will Ackerly, co-founder and chief technology officer of email encryption and digital privacy company Virtru.
While industrial IoT products, such as systems that control robots on an assembly line, would have plenty of entropy, sensors and many consumer devices face limitations.
The entropy problem in IoT has been known for a while, but Keyfactor’s research shows that attacks that exploit this problem are easier to carry out than previously thought, Ackerly says. Developers can’t be complacent about entropy, especially as IoT devices become more widespread in medical and automotive systems. One way to avoid such issues is to use established software libraries to generate random numbers instead of devising workarounds, such as seeding a custom-made random number generator with an identifier that’s easy to guess (like the device’s MAC address).
Hardware manufacturers or software providers developing kits for developers should include established libraries in those kits and provide instructions for how to use them.
“The more we can standardize software libraries that are understood to be secure and have people using them, all the better,” Ackerly says. “Don’t give them the opportunity to shoot themselves in the foot.”
It’s up to manufacturers, vendors, and developers to make sure the systems have sufficient entropy, though customers can always ask vendors how entropy is handled in their devices.